If you keep up with the security news at all, you know that on June 9th the email addresses and the device ICC-ID for at least 114,000 3G iPad subscribers were exposed.
Leaving aside any of the hype around disclosure, FBI investigations, and bad PR, here are the important bits:
- We don’t know if bad guys got their hands on this information, but it is safest to assume they did.
- For most of you, having your email address potentially exposed isn’t a big deal. It might be a problem for some of the famous and .gov types on the list.
- The ICC-ID is the unique code assigned to the SIM card. This isn’t necessarily tied to your phone number, but…
- It turns out there are trivial ways to convert the ICC-ID into the IMSI here in the US according to Chris Paget (someone who knows about these things).
- The IMSI is the main identifier your mobile operator uses to identify your phone, and is tied to your phone number.
- If you know an IMSI, and you are a hacker, it greatly aids everything from location tracking to call interception. This is a non-trivial problem, especially for anyone who might be a target of an experienced attacker… like all you .gov types.
- You don’t make phone calls on your iPad, but any other 3G data is potentially exposed, as is your location.
- Everything you need to know is in this presentation from the Source Boston conference by Nick DePetrillo and Don Bailey.](http://www.sourceconference.com/bos10pubs/carmen.pdf)
Realistically, very few iPad 3G owners will be subject to these kinds of attacks, even if bad guys accessed the information, but that doesn’t matter. Replacing the SIM card is an easy fix, and I suggest you call AT&T up and request a new one.